Analyzing the Relationships Between Labels

Dominant and Dominated Labels

The relationship between two labels can be described in terms of dominance. A user's ability to access an object depends on whether the user's label dominates the label of the object. If a user's label does not dominate the object's label, the user is not allowed to access the object.

Label dominance is analyzed in terms of all its components: levels, compartments, and groups.

Table A-1 Dominance in the Comparison of Labels

Factor

Criteria for Dominance

Level

For label1 to dominate label2, the level of label1 must be greater than or equal to that of label2.

Compartment

For label1 to dominate label2, the compartments of label1 must contain all of the compartments of label2.

Group

For label1 to dominate label2, label1 must contain at least one of the groups of label2.

One label dominates another label if all of its components dominate the components of the other label. For example, the label HIGHLY_SENSITIVE:FINANCE,OPERATIONS dominates the label HIGHLY_SENSITIVE:FINANCE. Similarly, the label HIGHLY_SENSITIVE::WR_AP dominates the label HIGHLY_SENSITIVE::WR_AP, WR_AR.

Non-Comparable Labels

The relationship between two labels cannot always be defined by dominance. Two labels are non-comparable if neither label dominates the other. If any compartments differ between the two labels (as with HS:A and HS:B), then they are non-comparable. Similarly, the labels HS:A and S:B are non-comparable.

Using Dominance Functions

You can use dominance functions to specify ranges in queries. The following functions enable you to indicate dominance relationships between specified labels.

Table A-2 Functions to Determine Dominance

Function

Meaning

STRICTLY_DOMINATES

The value of label1 dominates that of label2, and is not equal to it.

DOMINATES

The value of label1 dominates, or is equal to, that of label2.

DOMINATED_BY

The value of label1 is dominated by that of label2.

STRICTLY_DOMINATED_BY

The value of label1 is dominated by that of label2, and is not equal to it.

Note that there are two types of dominance function. Whereas the SA_UTL dominance functions return BOOLEAN values, the standalone dominance functions return integers.

OCI Interface for Setting Session Labels

When using OCI to connect, the policy's SYS_CONTEXT variables can be used to initialize the session label and the row label. The variables are set using the OCIAttrSet function to initialize "externally initialized" SYS_CONTEXT variables. These are available in Release 8.1.7 only when Oracle Label Security is installed.

Each policy has a SYS_CONTEXT named SA$policy_name_X. There are two variables that can be set: INITIAL_LABEL and INITIAL_ROW_LABEL.

When set to valid labels within the user's authorizations, the new values will be used instead of the default values stored for the user. This is the same mechanism used for remote connections